Wiz Agents & Workflows are here
Wiz
Vulnerability DatabaseCVE-2024-53677

CVE-2024-53677
Java vulnerability analysis and mitigation

Overview

CVE-2024-53677 is a critical file upload vulnerability in Apache Struts that was discovered and disclosed on December 11, 2024. The vulnerability affects Apache Struts versions from 2.0.0 through 6.3.0.2. This flaw allows attackers to manipulate file upload parameters to enable path traversal, potentially leading to Remote Code Execution (RCE). The vulnerability received a Critical CVSS score of 9.5 (NVD, Arctic Wolf).

Technical details

The vulnerability is a path traversal flaw in the Struts2 file upload mechanism that allows attackers to upload files to restricted directories. The issue specifically affects the old File Upload Interceptor component. The vulnerability builds upon similar flaws identified in previous vulnerabilities, suggesting incomplete patches may have contributed to its emergence. The critical severity is reflected in its CVSS 4.0 score of 9.5, with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red (Sonatype).

Impact

The vulnerability's exploitation can lead to severe consequences including Remote Code Execution if a webshell is uploaded and exposed in the web root. The impact is particularly concerning due to three factors: the vulnerability's automation potential, widespread adoption of Struts2 in enterprise environments, and the timing of discovery during the holiday season when organizations typically operate with reduced staffing (Sonatype).

Mitigation and workarounds

Organizations are strongly recommended to upgrade to Apache Struts version 6.4.0 or later and migrate to the new Action File Upload mechanism. This update is not backward-compatible and requires code modifications to implement the new file upload interceptor. Applications continuing to use the old File Upload mechanism will remain vulnerable. Organizations should also maintain an up-to-date software bill of materials (SBOM) to identify dependencies on Struts2, use software composition analysis (SCA) tools to identify affected components, and monitor exploitation trends (Apache, Sonatype).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-34361CRITICAL9.3
  • JavaJava
  • ca.uhn.hapi.fhir:org.hl7.fhir.validation
NoYesMar 31, 2026
CVE-2026-34214HIGH7.7
  • JavaJava
  • io.trino:trino-iceberg
NoYesMar 31, 2026
CVE-2026-34359HIGH7.4
  • JavaJava
  • ca.uhn.hapi.fhir:org.hl7.fhir.core
NoYesMar 31, 2026
CVE-2026-34237MEDIUM6.1
  • JavaJava
  • io.modelcontextprotocol.sdk:mcp-core
NoYesMar 31, 2026
CVE-2026-34360MEDIUM5.8
  • JavaJava
  • ca.uhn.hapi.fhir:org.hl7.fhir.core
NoYesMar 31, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo